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Damian  Collins 

Chair,  Digital,  Culture,  Media  and  Sport  Committee 
House  of  Commons 
London 
SW1A  OAA 

14th  May  2018 

Dear  Mr  Collins, 

Thank  you  for  your  letter  of  1st  May  following  the  testimony  of  Facebooks  Chief  Technology 
Officer  Mike  Schroepfer. 

In  your  letter  you  listed  39  points  where  the  Committee  felt  our  answers  were  unsatisfactory  or 
where  during  the  hearing  we  offered  to  provide  further  information.  This  letter  contains  our 
response  to  those  39  points.  Where  appropriate  we  have  included  references  to  the  transcript  of 
Mr  Schroepfer’ s  testimony  showing  where  he  answered  a  number  of  these  points  at  the  time. 

Questions 

1.  What  is  the  percentage  of  sites  on  the  internet  on  which  Facebook  tracks  users? 

Facebook  provides  a  number  of  different  tools  that  third  parties,  such  as  website  owners  and 
publishers,  can  choose  to  integrate  into  their  services.  These  technologies  have  a  range  of 
purposes:  Facebook  social  plugins,  such  as  the  Like  button  and  Share  button,  enrich  users' 
experience  of  Facebook  by  allowing  them  to  see  what  their  Facebook  friends  have  liked,  shared, 
or  commented  on  across  the  Web.  Facebook  also  offers  the  Facebook  Pixel,  which  allows  third 
parties  to  understand  how  people  are  engaging  with  their  content  and  better  reach  people  who 
use  or  might  be  interested  in  their  products  and  services. 

We  receive  information  when  a  site  or  app  that  use  these  Facebook  technologies  is  visited. 
Specifically,  our  servers  log  (i)  standard  browser  or  app  records  of  the  fact  that  a  particular 
device  or  user  visited  the  website  or  app  (this  connection  to  Facebook's  servers  occurs 
automatically  when  a  person  visits  a  website  or  app  that  contains  our  technologies,  such  as  a 
Like  button,  and  is  an  inherent  function  of  Internet  design);  and  (ii)  any  additional  information 
the  publisher  of  the  app  or  website  chooses  to  share  with  Facebook  about  the  person's  activities 
on  that  site  (such  as  the  fact  that  a  purchase  was  made  on  the  site). 

(See  https://www.facebook.com/policies/cookies).  Facebook  requires  third  parties  using  these 
technologies  to  do  so  in  accordance  with  all  applicable  laws  including,  where  applicable, 
obtaining  appropriate  valid  consent  from  the  end  user. 
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As  explained  by  Mr  Schroepfer  (Q2103),  many  companies  offer  these  types  of  services  and,  like 
Facebook,  they  also  get  information  from  the  apps  and  sites  that  use  them.  He  explained,  for 
example,  that  Parliament's  website  www.parliament.uk  collects  and  shares  browser  and  cookie 
information  with  six  different  companies-  Google,  Linkedln,  Twitter,  Hotjar,  Pingdom  and 
Facebook-  so  when  a  person  visits  Parliament's  website,  it  sends  information  about  their  visit  to 
each  one  of  those  third  parties.  Twitter,  Pinterest  and  Linkedln  all  have  similar  Like  and  Share 
buttons  to  help  people  share  things  on  their  services.  Google  has  a  popular  analytics  service.  And 
Amazon,  Google  and  Twitter  all  offer  login  features.  These  companies  —  and  many  others  — 
also  offer  advertising  services.  In  fact,  most  websites  and  apps  send  the  same  information  to 
multiple  companies  each  time  you  visit  them. 

Between  9  April  and  16  April  2018,  the  Facebook  Like  button  appeared  on  8.4M  websites,  the 
Share  button  appeared  on  93  IK  websites,  and  there  were  2.2M  Facebook  Pixels  installed  on 
websites.  We  do  not  know  the  total  number  of  websites  in  the  world  in  order  to  express  this  as  a 
percentage. 

2.  Did  the  Internet  Research  Agency  use  custom  audiences?  What  targeting  tools  did  the  IRA 
use  for  their  advertising?  Did  they  have  a  custom  audience  for  state-by-state  campaigns/races 
in  the  USA?  Did  they  use  look-alike  audiences  from  Facebook  as  part  of  their  advertising 
spend? 

The  vast  majority  of  Internet  Research  Agency  adverts  did  not  use  custom  audiences  to  target  the 
ads  we  identified  that  were  run  in  the  United  States  between  June  2015  and  August  2017.  In  the 
limited  cases  when  it  did  run  ads  using  custom  audiences  in  its  targeting,  the  IRA  used  either  a 
Website  Custom  Audience  or  Lookalikes.  The  former  enables  advertisers  to  target  people  on 
Facebook  that  have  visited  their  website,  through  use  of  the  Facebook  pixel.  The  Lookalike 
audience  tool  enables  advertisers  to  reach  new  people  on  Facebook  who  are  similar  to  members 
of  an  existing  audience.  In  addition,  we  found  that  the  IRA  did  not  use  Data  File  Custom 
Audiences  (DFCAs),  which  is  the  only  type  of  custom  audience  that  is  created  based  on  data 
provided  by  the  advertiser.  Advertisers  create  DCFAs  by  uploading  a  data  file  with  a  list  of 
people  for  whom  they  have  contact  information,  such  as  email  addresses  and  phone  numbers. 
Once  the  file  is  uploaded,  the  data  is  hashed  (to  safeguard  the  privacy  of  the  people  involved). 
Facebook  then  uses  the  hashed  data  to  find  matches  with  Facebook  users  to  create  the  audience. 

3.  What  is  Facebook’s  definition  of  a  political  advertisement?  What  budget  does  Facebook  put 
behind  examining  the  parameters  and  use  of  political  adverts? 

The  precise  definition  of  what  constitutes  a  political  advert  will  vary  by  location  reflecting 
local  laws  and  regulations.  In  the  UK,  the  Electoral  Commission  provides  relevant  guidance  (for 
example,  regarding  what  constitutes  campaigning  in  a  referendum,  and  what  constitutes  political 
campaigning).  As  part  of  preparing  to  roll  out  our  political  advert  transparency  measures  in  the 
UK  we  will  be  working  with  the  Commission  (together  with  other  relevant  UK  stakeholders  and 
experts)  to  develop  appropriate  definitions  for  the  UK. 
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Our  advert  transparency  measures  are  aimed  at  identifying  both  adverts  placed  by  or  on  behalf  of 
a  politician  or  candidate,  as  well  as  adverts  aimed  at  influencing  opinion  on  political  issues.  As 
confirmed  to  the  Committee  by  Mr  Schroepfer,  our  intention  is  for  Facebook' s  new  transparency 
measures  to  be  in  place  in  the  UK  in  time  for  the  UK  local  elections  in  20 1 9,  if  not  before. 

A  key  stage  of  our  transparency  efforts  —  the  view  ads  tool  —  will  become  available  in  the  UK 
in  June  of  this  year.  This  will  enable  people  in  the  UK  to  see  all  of  the  ads  every  advertiser  is 
running  on  Facebook  at  the  same  time. 


In  time  for  the  local  elections  in  May  2019,  we  will  require  those  seeking  to  run  political  adverts 
to  complete  an  authorization  process  to  help  ensure  ads  are  coming  from  authentic  accounts  and 
when  they  run  they  will  be  required  to  display  who  paid  for  them.  They  will  be  placed  in  a 
searchable  archive  that  would  include  the  ads  themselves  and  certain  information  about  them 
(such  as  how  many  times  an  ad  may  have  been  seen,  how  much  money  was  spent  on  them,  and 
what  kinds  of  people  saw  them). 

Our  teams  are  dedicating  considerable  time,  effort  and  resources  to  addressing  advertising 
transparency,  particularly  with  respect  to  political  adverts.  While  there  is  no  single  budget  figure, 
this  is  a  critical  engineering  and  business  priority  and  teams  from  across  our  companies  have  and 
will  continue  to  tackle  these  issues  with  urgency. 

4.  How  many  developers  did  your  enforcement  team  at  Facebook  take  action  against  between 
2011-2014? 

Due  to  system  changes,  we  do  not  have  records  for  the  time-period  before  2014  that  establish  the 
number  of  apps  we  terminated  for  developer  violations.  However,  we  regularly  take  action 
against  apps.  For  example,  in  2017,  we  took  action  against  about  370,000  apps,  ranging  from 
imposing  restrictions  on  certain  features  to  removal  of  the  app  from  the  platform.  And  beginning 
in  2014,  Facebook  proactively  reviewed  all  new  apps  seeking  to  access  anything  beyond  basic 
data  fields  and  has  rejected  more  than  half  of  apps  (about  299,000  apps  in  total)  seeking  those 
permissions. 


5.  Does  the  NDA  signed  with  Dr  Kogan  prevent  legal  action  being  taken?  What  was  the  date 
of  the  agreement?  Was  there  a  payment  made  to  Dr  Kogan? 

As  stated  by  Mr  Schroepfer  (Q  2322),  a  formal  agreement  was  signed  by  Dr  Kogan  on  24  June 
2016  in  respect  of  his  obligations  to  delete  Facebook  user  data  and  obtain  certifications  from 
other  third-parties  to  whom  he  provided  some  data  (SCL,  Eunoia  Technologies  (a  company 
founded  by  Christopher  Wylie),  and  a  researcher  at  the  Toronto  Laboratory  for  Social 
Neuroscience  at  the  University  of  Toronto).  A  copy  of  the  agreement  is  enclosed. 
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This  agreement  with  Dr  Kogan  contained  a  standard  confidentiality  clause.  No  payment  was 
made  by  any  party  in  connection  with  the  agreement.  As  Mr  Schroepfer  also  explained,  we  want 
Dr  Kogan  to  be  able  to  be  open  about  these  events  and  have  waived  this  confidentiality 
obligation. 

6.  Who  was  the  person  at  Facebook  responsible  for  the  decision  not  to  tell  users  affected  in 
2015? 

The  information  that  surfaced  in  December  2015  reported  that  Dr.  Kogan  may  have  shared  data 
that  he  obtained  lawfully  from  users  on  Facebook's  platform  with  a  third  party  (Cambridge 
Analytica)  in  violation  of  our  developer  policies.  Dr.  Kogan's  violation  of  our  policies  did  not 
trigger  a  legal  notification  obligation  by  Facebook,  both  because  the  data  shared  with  Dr. 

Kogan's  app  was  authorized  by  users  and  because  of  the  nature  of  the  information  itself — 
consisting  of  information  people  shared  publicly  or  with  their  friends  on  Facebook  (generally  not 
passwords,  financial  data,  or  other  data  requiring  notification  under  laws  in  place  at  the  time). 

Accordingly,  our  focus  in  December  2015  was  to  ensure  that  Dr  Kogan  and  anyone  with  whom 
he  had  shared  data  promptly  deleted  all  data.  We  retained  an  outside  law  firm  to  investigate  and 
take  action  against  Dr  Kogan.  We  obtained  certifications  from  Dr  Kogan  and  others  he  shared 
data  with  assuring  us  that  all  variants  of  the  data  had  been  deleted.  We  also  promptly  removed 
Dr  Kogan's  app  from  the  Facebook  platform.  An  audit  of  Cambridge  Analytica  and  the  other 
parties  involved  would  likely  be  the  most  effective  way  of  seeking  to  determine  what  data  was  in 
fact  shared  and  whether  it  was  deleted  at  the  time. 

Because  we  are  taking  a  broader  view  of  our  responsibilities  that  go  beyond  our  legal 
obligations,  we  have  since  notified  all  people  potentially  impacted  with  a  detailed  notice  at  the 
top  of  their  News  Feed.  In  doing  so,  we  have  likely  notified  many  people  who  did  not  have  their 
data  passed  to  Cambridge  Analytica.  Not  only  did  we  take  an  expansive  methodology  to  identify 
users  whose  information  may  have  been  shared  with  Dr  Kogan's  app,  but  we  also  notified  all 
potentially  affected  users  outside  the  United  States,  despite  Dr  Kogan's  statements  —  including 
to  the  Committee  —  that  he  only  passed  information  relating  to  US  users  to  Cambridge 
Analytica. 

7.  Who  at  Facebook  heads  up  the  investigation  into  Cambridge  Analytica,  including  all  the 
strands  of  the  investigation? 

Our  legal  team,  led  by  General  Counsel  Colin  Stretch,  is  leading  the  investigation  into 
Cambridge  Analytica. 
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8.  Has  Joseph  Chancellor  signed  an  NDA? 

As  stated  by  Mr  Schroepfer  (Qs  2192-2194),  Joseph  Chancellor  has  not  signed  a  non-disclosure 
agreement  with  Facebook  relating  to  this  issue.  All  employees  of  Facebook  (as  with  many 
businesses)  are  required  to  sign  a  standard  confidentiality  agreement  as  part  of  their  employment, 
and  Mr  Chancellor  is  no  exception. 

9.  Agreement  to  provide  documentation  that  Cambridge  Analytica  had  certified  the  deletion  of 
the  data. 

A  copy  of  the  certifications  from  those  to  whom  Dr  Kogan  said  he  gave  the  data  are  enclosed. 

10.  What  was  the  number  of paid  adverts  from  the  IRA  during  the  US  election? 

After  the  2016  US  election,  we  found  that  fake  accounts  associated  with  the  IRA  spent 
approximately  $100,000  on  around  3,500  Facebook  and  Instagram  adverts  between  June  2015 
and  August  2017.  All  adverts  have  been  published  by  the  US  House  of  Representatives  and  are 
available  here:  https://democrats-intelligence.house.gov/facebook-ads/social-media- 
advertisements.htm. 

11.  From  which  country  did  the  $2  million  that  AIQ  spent  on  ads  come? 

According  to  its  advertiser  registration,  AIQ  was  based  in  Canada.  However,  in  order  to  run 
adverts  on  behalf  of  Vote  Leave  and  other  UK  referendum  campaigners,  AIQ  would  have 
required  access  to  be  granted  to  their  Facebook  pages  by  the  respective  campaigns.  In  other 
words,  the  VoteLeave  and  other  campaigns  explicitly  granted  access  to  AIQ  to  be  an 
administrator  of  their  pages. 

From  our  internal  investigation  so  far,  to  run  adverts  on  Facebook,  AIQ  incurred 
approximately  $1.6  million  USD  to  run  adverts  from  the  Vote  Leave  Facebook  Page; 
approximately  $329,000  USD  to  run  adverts  from  the  BeLeave  Facebook  Page;  approximately 
$51,500  USD  to  run  adverts  from  the  Veterans  for  Britain  Facebook  Page;  and  approximately 
$32,700  USD  to  run  adverts  from  the  DUP  Vote  to  Leave  Facebook  Page. 

12.  How  many  UK  Facebook  users  and  Instagram  users  were  contacted  by  non-UK  entities 
during  the  EU  referendum? 

Many  Facebook  and  Instagram  users  are  frequently  in  contact  with  friends  and  family  in  other 
countries,  and  may  read  foreign  media,  or  may  follow  celebrities  or  public  figures  abroad. 

Many  referendum  campaigners  have  at  some  point  used  foreign  consulting  or  advertising 
agencies.  Our  understanding  is  that  all  registered  campaigners  need  to  report  details  of  their 
suppliers  during  the  referendum  period  to  the  Electoral  Commission.  The  Electoral  Commission 
then  publishes  these  suppliers’  details  on  the  public  register  available  on  its  website. 
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Regarding  alleged  coordinated  foreign  activity  during  the  EU  Referendum,  we  have  previously 
addressed  the  Committee's  questions  on  Russian  interference  (in  our  letters  of  17  January  and  28 
February  2018).  We  found  a  few  adverts  connected  to  the  IRA  which  ran  during  the  regulated 
period  of  the  EU  Referendum  campaign  —  1 5  April  to  23  June  20 1 6  -  that  were  shown  to  a  small 
number  of  people  in  the  UK.  As  requested  by  the  Electoral  Commission  we  shared  information 
about  how  much  was  spent  by  the  IRA  to  reach  UK  voters  during  this  period.  This  amounted  to 
around  1  USD.  We  also  provided  copies  of  the  Adverts  to  the  Electoral  Commission. 

The  release  of  the  set  of  IRA  adverts  by  the  US  House  of  Representatives,  which  shows  a 
significant  amount  of  activity  by  the  IRA  with  only  a  handful  of  their  adverts  listing  the  UK  as  a 
possible  audience,  confirms  the  position  we  shared  with  the  Electoral  Commission  and  the 
Committee. 

13.  How  many  clicks  or  swipes  does  it  take  to  alter  your  Facebook  privacy  settings  on  a 
smartphone?  What  steps  are  you  taking  to  reduce  the  lengthy  process  of  changing  one's 
privacy  settings? 

We  have  recently  rolled  out  changes  to  our  settings.  To  access  Privacy  Settings  in  our  updated 
menu,  it  only  takes  three  clicks.  First,  users  click  on  the  three  bars  at  the  bottom  of  the  app.  Then, 
they  click  on  “Settings  &  Privacy.”  Finally,  they  can  click  on  either  “Settings”  to  access  the  full 
suite  of  core  Facebook  settings,  including  privacy,  or  they  can  go  straight  to  the  “Privacy 
Shortcuts”  menu  to  access  core  privacy  settings. 
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During  our  preparations  for  GDPR,  we  heard  feedback  from  regulators,  policymakers,  and  users 
that-  while  it’s  important  we  offer  many  granular  privacy  settings — they  are  too  distributed 
across  the  platform  and  should  be  centralised  in  one  place.  We  took  this  feedback  on  board  and, 
following  a  significant  engineering  and  design  effort,  we  also  created  an  updated  Settings  menu 
where  users  have  easy  access  to  all  the  core  Facebook  settings  in  one  place.  Now,  instead  of 
having  settings  spread  across  20  different  places  on  Facebook,  users  can  go  to  one  place. 

The  updated  menu  is  now  clearer,  more  visual  and  easier  to  find.  From  this  one  place,  users  can 
now  make  their  account  more  secure,  control  their  information,  control  the  ads  they  see,  and 
manage  who  sees  their  posts  and  profile  information. 

14.  What  proportion  of  political  campaigning  ads  globally  are  run  on  your  platform?  Do  you 
have  a  rough  estimate ,  based  on  average  political  campaign  spend  data? 

We  are  not  aware  of  any  data  on  total  political  advertising  spend  globally  -  whether  online  or 
otherwise  -  which  would  be  required  in  order  to  estimate  what  proportion  of  that  advertising  is 
placed  on  Facebook,  nor  do  we  have  a  reliable  way  today  to  know  what  adverts  previously  run 
on  our  platform  are  “political”.  As  Mr  Schroepfer  stated  (Qs  2262-2263),  Facebook  does  not 
monitor  market  share  of  political  advertising  or  have  the  means  to  do  so. 

15.  What  data  on  dark  ads  do  you  have? 

We  understand  dark  ads  to  refer  to  adverts  that  an  advertiser  targets  to  a  specific  audience  but 
that  are  not  otherwise  viewable  on  Facebook  (outside  the  audience  for  the  adverts). 

In  general,  Facebook  maintains  for  paid  advertisers  data  such  as  name,  address,  and  banking 
details.  We  also  maintain  information  about  advertiser’s  accounts  on  the  Facebook  platform  and 
information  about  their  ad  campaigns  (most  advertising  content,  run  dates,  spend, 
etc.).  Advertisers  do  not  however  obtain  information  from  Facebook  which  personally  identifies 
recipients  of  their  ads. 

We  believe  that  the  Committee's  concerns  will  be  addressed  by  the  new  feature  which  we've 
been  testing  in  Canada  called  “view  ads”.  This  is  a  key  step  in  our  commitment  to  advert 
transparency,  and  lets  anyone  see  all  the  adverts  a  Page  is  running  on  Facebook  —  even  if  they 
are  not  in  the  audience  for  the  advert  and  even  if  the  user  does  not  follow  the  Page  running 
the  adverts.  This  will  apply  to  all  advertiser  Pages  on  Facebook  —  not  just  Pages  running 
political  adverts.  We  plan  to  launch  “view  ads”  globally  in  late  June  of  this  year. 

Users  are  also  always  able  to  see  who  is  showing  them  adverts  and  how  they  are  being  targeted, 
including  by  clicking  the  drop-down  menu  available  in  any  advert  and  selecting  “Why  am  I 
seeing  this?”.  This  tells  the  user  who  the  advertiser  is  and  provides  them  with  an  explanation  of 
how  he  or  she  has  matched  the  advertiser's  targeting  criteria.  If  users  do  not  wish  to  see 
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further  adverts  from  the  advertiser  concerned,  they  can  then  choose  “Hide  ad”.  Users  can  also 
Report  Ad  from  this  drop-down  menu,  including  because  the  user  considers  the  advert  to  be 
misleading  or  a  false  news  story.  Through  this  drop-down  they  are  also  directed  to  their  Ad 
Preferences  and  Ad  Settings  where  they  can  see  and  amend  the  interests  on  which  advertisers  can 
target  them;  see  and  amend  the  advertisers  that  are  able  to  target  them  as  a  result  of  previous 
interactions;  and  opt  out  of  receiving  adverts  based  on  data  from  third-party  partners. 

16.  Is  it  possible  for  Facebook  to  view  pages  set  up  during  elections  (e.g.  the  EU  Referendum 
campaign)  that  host  dark  ads,  and  then  are  taken  down  a  day  later?  Is  it  possible  that  no-one 
would  ever  be  able  to  audit  these  dark  ads,  as  no  one  (not  even  Facebook)  would  see  them 
during  the  time  they  are  online? 

We  refer  you  to  our  answer  to  question  1 5  above  regarding  the  information  we  retain  in  relation 
to  adverts  and  advertisers  on  our  platform,  including  when  the  underlying  Page  is  deleted. 


We  are  also  working  to  further  increase  ads  transparency  specifically  around  political 
advertising.  Advertisers  running  advertisements  for  political  adverts  on  Facebook  and  Instagram 
will  be  required  to  be  authenticated  before  they  can  run  political  adverts.  In  addition,  political 
adverts  will  be  accompanied  by  paid  for  by”  information.  We  will  also  release  a  public, 
searchable  archive  of  adverts  with  political  content,  which  will  include  adverts  that  are  deleted  or 
run  for  a  short  time.  We  are  working  to  roll  this  out  in  the  UK  before  the  local  elections  in  Mav 
2019.  3 

It  is  important  to  note  that  the  systems  that  will  identify  electoral  and  issue  adverts  subject  to  our 
new  ads  transparency  policies  are  in  the  process  of  being  developed  and  will  not  be  perfect.  We 
are  invested  in  continuing  to  develop  and  refine  these  systems  as  fast  as  we  can  to  improve 
accuracy  in  identifying  ads  subject  to  these  requirements. 

17.  Was  there  any  link  between  the  US  elections  and  the  201 7  purge  of  fake  accounts? 

The  2017  purge  of  fake  accounts  that  was  referenced  by  the  Committee  (Qs  2288  -  2297)  relates 
to  steps  we  took  to  disrupt  a  specific  spam  operation 

(see  https://www.facebook.com/notes/facebook-security/disrupting-a-major-spam- 
operation/1 01 54327278540766).  The  operation  was  made  up  of  inauthentic  likes  and  comments 
that  appeared  to  come  from  accounts  located  in  Bangladesh,  Indonesia,  Saudi  Arabia,  and  a 
number  of  other  countries.  We  are  not  aware  of  a  connection  to  the  2016  US  elections. 
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18.  What  proportion  of  the  fake  accounts  you  purged  had  any  involvement  from  Russia? 

We  are  not  aware  of  links  between  the  spam  operation  referenced  in  Q  17  and  the  Russian 
government. 

Outside  of  the  2017  “purge”,  in  our  review  of  the  2016  US  election  we  found  that  the  Russian 
Internet  Research  Agency  had  set  up  a  network  of  hundreds  of  fake  accounts  to  spread  divisive 
content  and  interfere  in  the  US  presidential  election.  We  began  investigating  their  activity 
globally  and  taking  down  their  Pages  and  accounts.  In  Autumn  2017,  we  removed  470  fake  IRA 
accounts  and  Pages.  In  April  2018,  we  removed  more  than  270  further  accounts  and  Pages 
operated  by  the  Internet  Research  Agency. 

19.  Do  you  know  how  many  developers  were  using  and  selling  data  on  to  third  parties  such  as 
GSR?  Is  GSR  the  only  company  that  has  received  letters  from  Facebook,  demanding  that  they 
delete  their  Facebook  data? 

To  clarify,  GSR  is  a  company  established  by  Dr  Kogan  —  the  developer  of  the 
thisisyourdigitallife  app.  We  understand  that  Dr  Kogan/GSR  transferred  data  at  some  point  to 
third-parties  that  include  Christopher  Wylie  (and  his  company)  and  Cambridge  Analytica/SCL 
Elections.  We  obtained  certifications  of  deletion  from  each  of  those  third  parties. 

We  are  in  the  process  of  investigating  every  app  that  had  access  to  a  large  amount  of  information 
before  we  changed  our  platform  in  2014.  If  we  find  suspicious  activity,  we  will  take  steps  to 
investigate  or  take  enforcement  actions  against  the  app.  If  we  determine  that  there  has 
been  an  improper  use  of  data  shared  with  third  parties,  we  will  ban  those  developers  and  notify 
everyone  affected. 

20.  What  kind  of  developer  activity  leading  up  to  2014  led  to  Facebook’s  major  policy  changes 
related  to  sharing  friends’  data?  (Please  give  specific  examples.)  Were  these  changes 
responding  to  genuine  concerns  among  Facebook  users? 

In  early  2014,  Facebook  introduced  changes  to  provide  users  more  choice  and  control  over  what 
information  apps  received,  to  reduce  the  amount  of  data  that  could  be  shared  with  third-party 
apps,  and  to  establish  a  new  review  and  approval  process  for  any  new  apps  that  sought  to  request 
anything  more  than  basic  information  about  the  installing  user.  We  announced  these  changes 
because,  among  other  things,  we  learned  that  consumers  wanted  more  control  over  their 
information.  These  changes  accompanied  a  new  version  of  the  platform  API,  called  Graph  API 
V2,  which  incorporated  several  key  new  elements.  The  changes  included: 

•  Institution  of  a  review  and  approval  process,  called  App  Review  (also  called  Login 

Review),  for  any  app  seeking  to  operate  on  the  new  platform  that  would  request  access  to 
data  beyond  the  user’s  own  public  profile,  email  address,  and  a  list  of  friends  of  the  user 
who  had  installed  and  authorised  the  same  app; 
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•  Limiting  the  data  that  apps  on  the  new  platform  could  access  about  friends  of  the 
installing  user;  and 

•  Providing  users  with  even  more  granular  controls  over  the  categories  of  their  data  an  app 
operating  on  the  new  platform  could  access. 

We  are  in  the  process  of  restricting  the  data  available  to  apps  even  more  severely,  so  that  the 
only  data  that  an  app  will  be  able  to  request  without  App  Review  will  be  name,  profile  photo, 
and  email  address. 

21.  How  many  Facebook  staff  have  been  added  to  the  app  review  team  since  2014? 

We  work  continuously  to  make  our  platform  safer  and  more  secure,  and  our  effort  to  do  so  is  a 
holistic  one  that  often  involves  hiring  additional  employees  as  well  as  continually  evaluating  our 
processes  and  policies.  Facebook  has  several  groups  dedicated  to  detecting,  investigating  and 
combating  violations  of  its  policies.  Those  efforts  have  expanded  and  evolved  over  time.  For 
example: 

•  Our  Developer  Operations  team  reviews  Facebook  apps  requesting  detailed  personal 
information  for  policy  violations.  The  Developer  Operations  Policy  Enforcement  team 
looks  for  policy  violations  and  either  brings  developers  into  compliance  or  removes  them 
from  the  platform.  The  Developer  Operations  Review  team  conducts  an  upfront  review  of 
apps  to  confirm  proper  use  of  advanced  permissions. 

•  Our  Security  teams  make  sure  the  worst  actors  and  abusers  are  dissuaded  from  targeting 
our  products,  communities,  and  company.  The  teams  also  stay  abreast  of  trends  in  attacks 
and  are  composed  of  investigators,  analysts,  and  security  engineers. 

•  Our  Platform  Integrity  team  builds  systems  and  automation  to  detect  and  enforce 
misbehaving  platform  applications,  with  a  focus  on  commercial  spam.  The  team  detects 
and  fixes  Developer  Platform  security  gaps,  and  redesigns  platform  products  to  make 
them  harder  for  bad  actors  to  abuse. 

We  have  and  will  continue  to  add  more  people  and  resources  to  our  Developer  Operations  team, 
as  well  as  other  teams  that  work  on  privacy,  safety,  and  security  at  Facebook.  This  year  we  are 
doubling  the  number  of  people  who  work  on  safety  issues  overall  from  10,000  to  20,000,  and 
that  includes  content  reviewers,  systems  engineers  and  security  experts.  We  are  on  track  to  hit 
this  goal. 

22.  What  is  the  legal  situation  regarding  Facebook  storing  non-Facebook  users’  data? 

When  a  person  who  is  not  a  registered  user  of  Facebook  visits  a  site  or  app  that  uses  our  services 
and  accepts  the  use  of  Facebook  cookies  (or  similar  technologies),  we  receive  logs  of  this  visit  in 
the  same  manner  described  in  response  to  question  1  above.  This  is  an  inherent  feature  of  how 
the  Internet  works  and  occurs  automatically  by  virtue  of  the  fact  that  the  person's  device  contacts 
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Facebook's  servers  in  order  for  the  Facebook  buttons  and  other  features  on  those  sites  to  work. 
The  information  received  in  this  manner  allows  Facebook  to  identify  a  specific 
browser;  however,  when  the  person  visiting  the  website  or  app  is  not  a  Facebook  user,  we  do  not 
receive  any  information  that  would  allow  us  to  identify  the  individual  using  that  browser. 

Facebook's  processing  of  such  data  for  non-users  complies  with  all  applicable  laws.  Our  privacy 
policy  (https://www.facebook.com/policy.php)  explains  in  detail  what  we  do  with  the 
information  we  receive,  and  makes  clear  that  we  may  collect  data  from  people  away  from 
Facebook  who  are  logged  out  or  don't  have  a  Facebook  account.  Our  Cookies  Policy 
(https://www.facebook.com/policies/cookies/)  provides  more  detailed  information  about  how 
and  why  we  use  cookies  and  the  controls  that  people  have.  And  we  comply  with  applicable  EU 
laws  by  obtaining  consent  from  European  users  before  dropping  cookies  that  are  not  strictly 
necessary  by  displaying  a  cookie  banner  to  every  browser  visiting  Facebook  for  the  first  time  to 
notify  users  about  our  cookie  use  as  follows:  “To  help  personalise  content,  tailor  and  measure 
ads  and  provide  a  safer  experience,  we  use  cookies.  By  clicking  on  or  navigating  the  site,  you 
agree  to  allow  us  to  collect  information  on  and  off  Facebook  through  cookies.  Learn  more, 
including  about  available  controls:  Cookie  Policy.  ” 

In  order  for  third  parties  to  use  our  Facebook  technologies  in  their  websites  or  apps,  it  is  also  a 
contractual  requirement  that  they  do  so  in  accordance  with  applicable  laws  and  that  where 
necessary  they  obtain  valid  consent  or  have  another  legal  basis  to  share  browser  or  app  logs  with 
Facebook  from  their  service. 

23.  Did  Facebook  pass  user  information  to  Cambridge  Analytica  or  to  Aleksandr  Kogan? 

No,  Facebook  did  not  pass  user  information  gathered  by  Dr  Kogan's  app  to  Cambridge 
Analytica.  As  Mr  Schroepfer  explained  to  the  Committee  (Q  2389),  Facebook  provided  tools 
that  let  users  share  their  data  and  their  friends'  data  with  Dr  Kogan's  app,  and  Dr  Kogan  in  turn 
appears  to  have  shared  some  of  that  data  with  Cambridge  Analytica  and  other  third  parties. 

24.  At  the  8  February  evidence  session,  Chris  Matheson  asked  Simon  Milner,  “Have  you  ever 
passed  any  user  information  over  to  Cambridge  Analytica  or  any  of  its  associated 
companies ?”  Simon  Milner  replied  “No”.  Chris  Matheson  asked,  “ But  they  do  hold  a  large 
chunk  of  F acebook ’s  user  data,  don ’t  they? ”  Simon  Milner  said,  “No.  They  may  have  lots  of 
data,  but  it  will  not  be  Facebook  user  data.  It  may  be  data  about  people  who  are  on  Facebook 
that  they  have  gathered  themselves,  but  it  is  not  data  that  we  have  provided.  ”  [Qq  447-448]  Do 
you  agree  with  this  answer? 

This  question  was  answered  in  Mr  Schroepfer's  evidence  to  the  Committee  (Q2407-2419, 
Q2429-2430).  Additionally,  we  should  point  out  that  the  quotation  contained  in  this  question  is 
an  incomplete  representation  of  the  evidence  that  Mr  Milner  gave  on  8  February  2018 
(see  http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/digital- 
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culture  media-and-sport-committee/fake-news/oral/78 1 95.pdf).  That  evidence  also  included  the 
following  relevant  clarification  regarding  the  statements  you  have  quoted: 


Q473  Chair:  [...]  I  just  have  a  couple  of  clarification  questions  I  want  to  ask  before  we  finish. 
Going  back  to  the  discussion  on  F acebook  developers,  Mr  Milner,  you  said  that  it  was  not  true 
that  developers  had  Facebook  user  data —  but  they  had  data  about  people  on  Facebook.  I  just 
wondered  what  the  difference  was  between  those  two  things. 

Simon  Milner:  I  suppose  I  was  initially  assuming  that  Mr  Matheson  was  saying  “Have  you 
pi  ovided  data?  Has  Facebook  provided  data  to  Cambridge  Analytica  or  some  other  outside 
entity?  We  do  not  provide  your  data  to  anyone  without  your  permission;  but  the  developer,  the 
system  that  Ms  Bickert  was  talking  about,  does  allow ’  people  to  decide,  “I  am  prepared  to  let 
them  have  some  of  my  Facebook  data  in  order  to  get  a  service  from  them.  ”  I  am  sorry  if  I 
implied— 

As  explained  above,  we  found  out  in  December  2015  that  Dr  Kogan  may  have  transferred  data 
obtained  from  Facebook  users  by  his  app  to  Cambridge  Analytica.  Any  data  Dr  Kogan  shared 
with  Cambridge  Analytica  took  place  independently,  outside  of  Facebook’s  platform  (and  we  still 
have  not  been  able  to  verify  what  sharing,  if  any,  occurred  because  we  have  been  holding  off  on 
our  forensic  audit  of  third  parties  at  the  request  of  the  Information  Commissioner's  Office). 
Facebook  did  not  permit  or  agree  to  that  transfer  and  it  happened  in  breach  of  Facebook's 
Platform  Policy.  On  learning  this,  we  acted  promptly  to  terminate  Kogan's  app  from  our 
platform  and  demanded  that  Dr  Kogan  and  GSR,  as  well  as  the  other  entities  to  whom  they 
confirmed  they  had  disclosed  data  obtained  via  the  app,  account  for  and  irretrievably  delete  all 
such  data.  Facebook  obtained  written  certifications  from  Dr  Kogan,  GSR,  and  other  third  parties 
(including  SCL  and  Christopher  Wylie)  declaring  that  all  such  data  they  had  obtained  (including 
derivative  data)  was  accounted  for  and  destroyed.  These  deletion  certifications  were  all  obtained 
many  months  prior  to  Mr  Milner  s  testimony;  and  Mr  Milner's  testimony  is  consistent  with  their 
contents  and  our  understanding  of  the  facts  at  that  time. 

In  March  2018,  after  Mr  Milner's  testimony,  Facebook  received  information  from  the  media 
suggesting  that  the  certifications  we  received  may  not  have  been  accurate.  We  immediately 
banned  SCL  and  Cambridge  Analytica  from  our  advertising  platform  and  have  since  been 
investigating.  As  part  of  our  investigation,  we  have  hired  a  forensic  auditor  to  understand  what 
information  Cambridge  Analytica  had  and  whether  it  has  been  destroyed.  That  is  the  most 
effective  way  to  know  whether  Cambridge  Analytica  still  has  the  data  it  obtained  from  Kogan. 

We  paused  the  audit  in  response  to  the  UK  Information  Commissioner’s  Office  request,  so  that 
they  can  pursue  their  investigations  first. 
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25.  At  the  time  of  Simon  Milner's  testimony  in  February  2018,  who  at  Facebook  knew  about 
Cambridge  Analytica?  Who  was  in  charge? 

It  was  not  until  March  2018,  after  Mr  Milner's  testimony,  that  Facebook  learned  of  allegations 
from  the  media  that,  contrary  to  their  assurances,  Dr  Kogan  and  Cambridge  Analytica  did  not 
delete  data  about  Facebook  users  that  Dr  Kogan  obtained  through  his  app.  At  that  point,  a 
number  of  people  at  Facebook  became  aware  of  these  allegations,  and  we  commenced  a 
company  investigation  involving  hundreds  of  different  people,  ultimately  managed  by  our 
General  Counsel,  Colin  Stretch. 

26.  When  did  Mark  Zuckerberg  know  about  Cambridge  Analytica? 

Mr.  Zuckerberg  did  not  become  aware  of  allegations  that  Cambridge  Analytica  may  not  have 
deleted  data  about  Facebook  users  obtained  through  Dr.  Kogan's  app  until  March  of  2018,  when 
these  issues  were  raised  in  the  media. 

27.  Can  you  tell  us  about  the  financial  links  between  SCL  and  Cambridge  Analytica? 

We  will  provide  separately  our  confidential  letter  to  the  Electoral  Commission  which  addresses 
this  issue. 

28.  How  much  money  has  been  made  from  fraudulent  ads  (for  example  -  but  not  limited  to  - 
the  recent  case  of  financial  expert  Martin  Lewis?)  When  you  find  out  they  have  been 
fraudulent,  do  you  return  the  money  to  the  purchaser  of  the  ads? 

Fraudulent  ads  are  not  allowed  on  Facebook.  They  are  in  breach  of  our  advertising  policies  and 
we  will  remove  them.  We  have  been  working  with  Mr  Lewis's  team  for  some  time  and  have 
removed  a  large  number  of  ads  that  feature  him  and  violate  our  Ads  policies.  To  make  all  of  this 
happen  automatically,  as  has  been  suggested,  is  technically  challenging.  We  are  constantly 
working  on  improving  our  machine  learning  tools  to  better  detect  fraudulent  or  misleading  ads 
and  prevent  them  from  appearing  on  Facebook,  and  we  are  making  good  progress  in  this  area. 

Where  we  discover  adverts  that  violate  our  policies  or  applicable  laws,  we  do  not  generally 
return  money  and  it  would  seem  perverse  to  return  it  to  someone  attempting  to  deceive  our  users. 
Instead,  we  make  investments  in  areas  to  improve  security  on  Facebook  and  beyond.  In  addition, 
the  investments  that  we  are  making  to  address  security  issues  are  so  significant  that  we  have 
informed  investors  that  we  expect  that  the  amount  that  we  will  spend  will  impact  our 
profitability. 
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29.  Can  we  see  copies  of  adverts  from  AIQ?  Who  saw  these  adverts  shown  to?  Who  paid for 
them? 

As  explained  in  Q1 1  above,  AIQ  incurred  approximately  $2  million  USD  advertising  on 
Facebook  for  a  number  of  EU  referendum  campaigners.  We  are  in  the  process  of  identifying  and 
compiling  the  content  and  additional  information  for  these  adverts.  We  have  also  notified  the 
campaigns  who  commissioned  these  adverts  that  the  Committee  has  asked  to  see  their  content. 
We  understand  that  you  intend  also  to  speak  to  the  campaigns  as  part  of  your  inquiry  and  will  be 
able  to  put  questions  about  their  advertising,  strategy  and  funding  directly  to  them. 


30.  Why  wasn  ’t  GSR  identified  during  audits  of  third  party  developers? 

Dr  Kogan  signed  a  certification  on  behalf  of  his  company,  GSR,  confirming  that  it  had  deleted 
all  Facebook  data  obtained  through  his  app.  So  GSR  was  one  of  the  parties  that  signed  a 
certification  following  our  December  20 1 5  investigation. 

31.  How  can  the  feature  allowing  users  to  edit  previews  of  articles  (in  response  to  concerns 
over  Fake  News)  be  removed? 

We  agree  that  allowing  users  to  edit  link  previews  can  be  abused  to  contribute  to  fake  news  and 
so  we  removed  this  ability  in  2017,  as  part  of  our  continuing  efforts  to  stop  the  spread  of 
misinformation  on  our  platform.  This  remains  disallowed  for  most  people  who  share  content  on 
Facebook.  However,  conscious  of  the  needs  of  publishers  on  our  platform,  we  have  provided  a 
means  for  publishers  to  indicate  their  ownership  of  links  and  continue  to  be  able  to  edit  how  their 
own  links  appear  on  Facebook.  We  allowed  this  because  we  know  that  media  pages  use  this 
feature  daily  to  customise  and  post  links  which  they  own. 

32.  What  work  is  Joseph  Chancellor  doing  right  now  for  Facebook?  What  is  his  job  title?  Was 
Facebook  aware  of  Joseph  Chancellor’s  involvement  in  GSR  at  the  time  of  his  application  to 
the  company,  or  during  his  employment? 

Mr  Chancellor  is  a  quantitative  researcher  on  the  User  Experience  Research  team  at  Facebook, 
whose  work  focusses  on  aspects  of  virtual  reality.  We  are  investigating  Mr  Chancellor's  work 
with  Dr  Kogan/GSR  through  counsel.  The  remainder  of  this  question  was  answered  by  Mr 
Schroepfer  (Qs  2186  -  2199,  2489). 

33.  Mr  Schroepfer  said  that  recruitment  is  taking  place  to  boost  work  being  done  in 
Myanmar.  When  is  this  happening  and  can  you  provide  more  details? 

We  ve  been  too  slow  in  Myanmar  to  deal  with  the  hate  and  violence.  We  are  investing  in  people, 
technology  and  programs  to  help  address  these  very  serious  challenges. 
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Specifically,  our  work  has  been  focused  on: 

Policies  -  removal  of  hate  speech  and  repeat  offenders:  We  have  clear  rules  against  hate 
speech,  harassment  and  fake  accounts.  This  content  has  no  place  on  Facebook,  and  we  work  hard 
to  keep  it  off  our  platform.  Our  Community  Standards 

(https://www.facebook.com/communitystandards)  prohibit  hate  speech  that  targets  people  based 
on  their  race,  ethnic  identity  or  religion.  We  remove  violating  content  when  it's  reported.  We 
have  also  designated  several  hate  figures  and  hate  organisations  in  Myanmar.  These  include 
Wirathu,  Thuseitta,  Ma  Ba  Tha,  and  Parmaukkha.  This  means  they  are  not  allowed  a  presence  on 
Facebook,  and  we  will  remove  accounts  and  content  which  support,  praise  or  represent  these 
individuals  or  organisations. 

People  -  more  Myanmar  dedicated  resources:  In  the  past  two  years,  we  have  added  dozens 
more  Burmese  language  reviewers  to  handle  reports  from  users  across  our  services.  We  have 
also  increased  the  number  of  people  across  the  company  working  on  Myanmar-related  issues 
and  we  now  have  a  special  product  team  working  to  better  understand  the  local  challenges  and 
build  the  right  tools  to  help  keep  people  in  the  country  safe.  We  are  hiring  more  staff  dedicated 
to  Myanmar,  including  Burmese  speakers  and  experts. 

Products  -  tools  and  technology  to  help  detect  and  remove  content  and  accounts  that  violate 
our  policies:  We  have  improved  the  way  we  detect  fake  accounts  on  our  service  —  including 
ones  that  are  hard  to  spot.  Specifically,  our  technology  is  able  to  more  effectively  recognise  fake 
accounts  by  identifying  patterns  of  activity  —  without  assessing  the  content  itself.  For  example, 
our  systems  may  detect  repeated  posting  of  the  same  content  or  an  increase  in  messages  sent. 

Partnerships  -  digital  literacy  education  with  local  partners:  We  launched  a  local  language 
version  of  our  Community  Standards  (https://www.facebook.com/safety/resources/myanmar)  to 
educate  new  users  on  how  to  use  Facebook  responsibly  in  2015  and  we  have  been  promoting 
these  actively  in  Myanmar,  reaching  over  8  million  people  through  promotional  posts  on  our 
platform  alone.  We've  also  rolled  out  several  education  programs  and  workshops  with  local 
partners  to  update  them  on  our  policies  and  tools  so  that  they  can  use  this  information  in  outreach 
to  communities  around  the  country. 

One  example  of  our  education  initiatives  is  our  work  with  the  team  that  developed  the  Panzagar 
initiative  (https://www.facebook.com/supportflowerspeech)  to  develop  the  Panzagar  counter¬ 
speech  Facebook  stickers  to  empower  people  in  Myanmar  to  share  positive  messages  online.  We 
also  recently  released  locally  illustrated  false  news  tips,  which  were  promoted  on  Facebook  and 
in  consumer  print  publications.  We  have  a  dedicated  Safety  Page  for  Myanmar 
(https://www.facebook.com/safety/resources/myanmarand)  and  have  delivered  hard  copies  of 
our  local  language  Community  Standards  and  safety  and  security  tips  to  civil  society  groups  in 
Myanmar  who  have  distributed  them  around  the  country  for  trainings. 
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34.  What  is  the  average  time  taken  to  respond  to  content  that  has  been  reported  to  Facebook  in 
the  region? 

User  content  reports  are  reviewed  by  our  Community  Operations  team  who  work  around  the 
globe  24  hours  a  day,  seven  days  a  week.  The  vast  majority  of  the  content  reported  to  us  is 
reviewed  within  24  hours.  It  can  be  even  faster  for  specific  types  of  content  such  as  credible 
threats  or  suicide  prevention,  as  we  optimise  our  processes  to  make  sure  that  our  team  of  experts 
handles  these  sensitive  reports  as  quickly  as  possible. 

35.  How  many  fake  accounts  have  been  identified  and  removed  in  Myanmar? 

We  don't  break  down  the  removal  of  fake  accounts  by  country.  We  will  however  be  publishing 
our  transparency  report  this  week  which  will  include  information  about  the  prevalence  and 
removals  of  fake  accounts  globally. 

36.  How  much  of  your  revenue  is  derived  from  Myanmar? 

Myanmar  is  a  small  market  for  Facebook.  We  do  not  publish  country  advertising  revenue 
figures. 

37.  Are  custom  audiences  used  as  a  tool  by  AIQ  using  the  GSR  data  from  the  US?  What  was 
the  total  value  ofAIQ/Vote  Leave  spend  on  Facebook?  Can  we  see  examples  and  copies  of 
adverts  that  they  used?  To  whom  were  they  sent,  and  who  decided  what  kind  of  targeting  to 
use? 

This  question  has  been  answered  in  our  response  to  Qs  1 1  &  29  above. 

38.  Is  there  evidence  that  CA/SCL  shared  data  with  AIQ? 

From  the  investigations  we  have  conducted  to-date  we  have  found  no  evidence  that  AIQ  used 
data  obtained  from  Dr.  Kogan's  app  to  advertise  on  our  platform  for  the  purposes  of  the  EU 
referendum.  Specifically,  as  Mr.  Schroepfer  explained  in  his  written  submission  to  the 
Committee: 

•  Many  of  the  Referendum-related  ad  campaigns  AIQ  ran  on  Facebook  employed  Data  File 
Custom  Audiences  (DFCA)  to  target  Facebook  users.  Advertisers  create  DCF  As  by 
uploading  a  data  file  with  a  list  of  people  for  whom  they  have  contact  information,  such 
as  email  addresses  and  phone  numbers.  Once  the  file  is  uploaded,  the  data  is  hashed. 
Facebook  then  uses  the  hashed  data  to  find  matches  with  Facebook  users  to  create  the 
audience.  DFCAs  are  the  only  method  through  which  an  advertiser  can  input  its  own  data 
to  attempt  to  identify  specific  Facebook  users  for  ad  targeting.  However,  all  of  the 
DFCAs  AIQ  created  used  email  addresses  to  match  to  the  individuals  from  the  data  file 
AIQ  uploaded  with  Facebook  users.  The  data  gathered  through  Dr.  Kogan's  app  did  not 
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include  the  email  addresses  of  app  installers  or  their  friends.  This  means  that  AIQ  could 
not  have  obtained  these  email  addresses  from  the  data  Dr.  Kogan’s  app  gathered  from 
Facebook.  AIQ  must  have  obtained  these  email  addresses  targeted  in  these  campaigns 
from  a  different  source. 

•  We  also  conducted  an  analysis  of  the  DFCAs  employed  by  AIQ  in  its  Referendum- 
related  ads,  on  the  one  hand,  and  UK  user  data  potentially  collected  by  Dr.  Kogan's  app, 
on  the  other  hand,  and  found  very  little  overlap  (fewer  than  4%  of  people  were  common 
to  both  data  sets,  which  overlap  we  believe  to  be  consistent  with  random  chance).  As  a 
result,  we  have  no  evidence  This  suggests  that  data  from  Dr.  Kogan's  app  was  not  used  to 
build  AIQ's  targeting  data  sets  in  connection  with  these  Referendum  campaigns.  Only 
AIQ  has  access  to  complete  information  about  how  it  generated  these  data  sets. 

39.  Why  was  data  responsibility  moved  from  Facebook  Irl  to  Facebook  Inc  in  California  just 
one  month  before  GDPR  kicks  in? 

Mr  Schroepfer  answered  this  question  at  the  hearing  (Q2372-2374).  All  users  in  the  EU  will 
continue  to  be  provided  with  the  Facebook  service  by  Facebook  Ireland,  who  remains  the  data 
controller  for  EU  user  data.  Facebook  Inc.  will  provide  the  Facebook  service  to  people  outside  of 
Europe,  which  is  not  a  change  for  many  parts  of  the  world.  This  ensures  that  we  can  continue  to 
be  responsive  to  local  regulatory  concerns,  without  an  obligation  to  work  through  an  EU-based 
Lead  Supervisory  Authority  for  people  outside  of  Europe  (under  provisions  in  the  GDPR,  the 
Irish  Data  Protection  Commissioner  would  be  the  lead  supervisory  authority  responsible  for  all 
people  receiving  services  from  Facebook  Ireland,  a  controller  based  in  the  Union).  We've 
received  strong  feedback  from  regulators  and  judicial  systems  outside  of  Europe  that  they  want 
us  to  be  directly  responsive  to  them  and  not  be  required  to  go  through  Europe  on  data  protection 
matters. 

This  also  allows  us  to  customize  our  terms  and  data  policy  to  reflect  regional  norms  and  legal 
frameworks.  For  example,  the  Facebook  Ireland  terms  and  data  policy  describe  the  legal  basis 
that  applies  to  each  lorm  of  data  processing,  but  this  is  not  a  concept  that  has  any  relevance 
outside  of  Europe.  Likewise,  we  are  providing  different  versions  of  our  Facebook  Inc.  terms  in 
different  countries.  For  example,  consumers  outside  of  the  United  States  will  be  able  to  bring 
legal  action  against  Facebook  in  their  home  country,  whereas  people  inside  the  United  States  are 
required  to  bring  legal  action  against  Facebook  in  courts  in  California.  These  changes  are  now 
reflected  in  separate  localized  terms. 

Facebook  has  now  held  lengthy  meetings  or  evidence  sessions  around  the  world.  In  the  UK  we 
provided  written  submissions  to  this  inquiry,  we  have  provided  senior  officials  to  give  evidence 
to  the  Committee  s  session  in  Washington,  one  of  the  most  senior  people  in  the  company  has 
given  5  hours  of  testimony  in  the  UK  Parliament  and  today  we  have  answered  the  39  further 
questions  provided  by  the  Committee.  We  were  disappointed  after  providing  a  very  significant 
amount  of  information  to  the  Committee  at  the  last  hearing  the  Committee  declared  our  response 
insufficient. 
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While  Mr  Zuckerberg  has  no  plans  to  meet  with  the  committee  or  travel  to  the  UK  at  the  present 
time  we  continue  to  fully  recognize  the  seriousness  of  these  issues  and  remain  committed  to 
working  with  you  to  provide  any  additional  relevant  information  you  require  for  your  inquiry 
into  fake  news.  We  will  also  continue  to  cooperate  fully  with  the  relevant  regulators. 


Yours  sincerely 


Rebecca  Stimson,  Head  of  Public  Policy,  Facebook  UK 
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CONFIDENTIAL  SETTLEMENT  AGREEMENT  AND  MUTUAL  RELEASE 


THIS  SETTLEMENT  AGREEMENT  AND  MUTUAL  RELEASE  (the 

“Agreement”  or  “Settlement  Agreement”)  is  entered  into  this  _  day  of  June,  2016 

(“Effective  Date”)  by  and  between  Facebook,  Inc.  (“Facebook”)  on  one  side,  and  Global 
Science  Research  Ltd.  (“GSR”)  and  Dr.  Aleksandr  Kogan  (“Dr.  Kogan”)  on  the  other 
side  shall  be  individually  referred  to  as  a  “Party”  and  collectively  as  the  “Parties. 

I.  RECITALS 

WHEREAS,  Facebook  believes  that  GSR  and  Dr.  Kogan  obtained  Facebook 
user  information  in  a  manner  and  for  a  purpose  that  may  not  have  been  consistent  with  or 
permissible  under  Facebook  terms,  conditions  and/or  policies  (“Facebook  Terms”); 

WHEREAS,  GSR  and  Dr.  Kogan  deny  that  they  violated  any  Facebook  Terms; 

WHEREAS,  the  Parties  desire  to  fully  and  finally  resolve  any  and  all  known  and 
unknown  claims  that  may  exist,  arising  out  of  or  related  to  GSR’s  and  Dr.  Kogan’s  use  of 
the  “thisisyourdigitallife”  Facebook  Application  (App  ID:  599050663475147)  (the  “GSR 
App”)  to  obtain  Facebook  user  information  and  GSR’s  and  Dr.  Kogan’s  use  and  sharing 
of  such  Facebook  user  infonnation  (“the  Matter”)  on  the  terms  and  conditions  set  forth 
below  and  to  exchange  certain  consideration  in  settlement. 

NOW  THEREFORE,  for  and  in  consideration  of  the  representations,  mutual 
covenants,  agreements,  and  acts  set  forth  below,  and  for  other  good  and  valuable 
consideration  acknowledged  by  the  Parties  to  be  satisfactory  and  adequate,  and  with  the 
intent  to  be  fully  bound,  the  Parties  hereby  agree  as  follows: 

II.  TERMS 

A.  Cooperation,  Deletion,  Certification 

1.  In  Exhibits  A1  and  A2  attached  hereto,  GSR  and  Dr.  Kogan  have 
provided  Facebook  with  a  complete  list  of  applications,  scripts,  scrapers,  or  other 
methodologies  used  by  GSR  or  Dr.  Kogan  or  any  entity  in  which  GSR  or  Dr.  Kogan  has 
an  ownership  interest  to  collect  Facebook  user  information  (“Facebook  Applications”), 
including  a  complete  description  of  the  collection,  use,  sharing,  and  disclosure  of 
Facebook  user  information  obtained  from  the  Facebook  Applications  and  data  derived 
from  such  Facebook  user  information,  specifically:  a)  personality  scores  and  average 
personality  scores;  b)  derived  dimensional  scores  summarizing  infonnation  captured  in 
the  “likes”;  and  c)  a  co-occurrence  matrix  of  likes  (collectively,  all  such  Facebook  user 
infonnation  and  data  derived  from  such  Facebook  user  information  related  to  the  GSR 
App  is  referred  to  herein  as  “App  Data”).  Certain  infonnation  has  been  redacted  in 
Exhibits  A1  and  A2.  Neither  GSR  nor  Dr.  Kogan  derived  any  other  data  from  such  App 
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Data,  except  as  listed  in  (a),  (b)  and  (c)  in  the  preceding  sentence.  App  Data  includes 
data  from  the  Facebook  account  of  the  GSR  App  user  as  well  as  Facebook  data  (i.e. 
friend’s  endpoints)  from  the  accounts  of  the  GSR  App  user’s  friends  that  was  collected 
by  the  GSR  App.  Within  fourteen  (14)  business  days  of  full  execution  of  this  Agreement, 
GSR  shall  provide  the  unredacted  version  of  Exhibit  A1  and  Dr.  Kogan  shall  provide  the 
unredacted  version  of  Exhibit  A2,  with  the  identity  and  contact  details  for  persons  to 
which  GSR  or  Dr.  Kogan  is  subject  to  a  written  confidentiality  obligation  being  provided 
on  an  “attorneys  eyes  only  -  outside  counsel”  basis.  GSR  and  Dr.  Kogan  will  use  best 
efforts  to  respond  truthfully  and  completely  to  Facebook  questions  that  Facebook  may 
have  after  reviewing  the  description  in  Exhibits  A1  and  A2,  provided  that  neither  GSR 
nor  Dr.  Kogan  shall  be  required  by  Facebook  to  violate  any  written  confidentiality 
obligations  of  GSR  or  Dr.  Kogan  to  any  third  parties. 

2.  GSR  and  Dr.  Kogan  will  delete  all  App  Data  in  their  possession 
within  fourteen  (14)  business  days  of  full  execution  of  this  Agreement. 

3.  Neither  GSR  nor  Dr.  Kogan  will  make  use  of  the  App  Data  or  any 
data  provided  by  Facebook  to  Dr.  Kogan  directly  for  research  purposes,  including  any 
reference  or  use  in  academic  papers  or  manuscripts,  without  first  obtaining  Facebook’ s 
written  pennission.  The  decision  to  permit  a  requested  use  of  App  Data  or  Facebook  data 
shall  be  in  Facebook’s  sole  discretion. 

4.  GSR  will  notify  all  persons  that  accessed  or  received  App  Data 
from  GSR  or  Dr.  Kogan  or  with  whom  either  GSR  or  Dr.  Kogan  shared  or  disclosed  App 
Data  that  all  App  Data  is  to  be  permanently  deleted.  GSR  will  also  provide  all  persons 
receiving  notice  with  a  Certification  in  the  form  attached  as  Exhibit  B.  GSR  will  inform 
all  such  persons  that  this  notification  shall  be  completed  within  fourteen  (14)  business 
days  following  receipt  by  such  persons. 

5.  GSR  and  Dr.  Kogan  will  disclose  to  Facebook  the  identity  and 
contact  details  for  all  persons  notified  to  delete  App  Data.  Disclosure  of  the  identity  and 
contact  details  for  persons  to  which  GSR  or  Dr.  Kogan  are  subject  to  a  written 
confidentiality  obligation  shall  be  provided  on  an  “attorneys  eyes  only  -  outside  counsel” 
basis.  This  disclosure  shall  be  completed  within  fourteen  (14)  business  days  following 
full  execution  of  this  Agreement. 

B.  Representations  and  Warranties 

a.  GSR  and  Dr.  Kogan  represent  and  warrant  that: 

1.  the  description  to  be  provided  by  GSR  and  Dr.  Kogan  under 
Section  II.  A.  1  above  and  the  unredacted  versions  of  Exhibits  A1  and  A2  shall  be  accurate 
and  complete,  to  the  best  of  their  knowledge. 

2.  they  will  delete  all  App  Data  in  their  possession  as  provided  in 

Section  II.A.2. 
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3.  they  will  provide  accurate  and  complete  information,  to  the  best  of 
their  knowledge,  when  completing  Exhibits  A1  and  A2. 

4.  neither  GSR  nor  Dr.  Kogan  have  provided  access  to,  shared,  or 
disclosed  App  Data  to  Philometrics  Inc. 

5.  Dr.  Kogan  received  no  payment  related  to  App  Data  other  than 
reimbursement  for  out-of-pocket  expenses. 

6.  GSR  received  payment  related  to  App  Data  from  one,  and  only 

one,  entity. 

b.  Facebook  represents  and  warrants  that  it  will  not  contact  or  bring  any 
enforcement  action  against  any  individual  or  entity  that  returns  a  Certification  and  agrees 
to  disgorge  to  Facebook  all  revenue  related  to  its  use,  disclosure,  or  sharing  of  App  Data, 
unless  Facebook  obtains  infonnation  indicating  that  the  certifying  party  did  not  delete  all 
App  Data  or  that  the  entity’s  Certification  is  materially  inaccurate  or  materially 
incomplete. 


C.  No  Use  of  F acebook  data 

GSR  and  Dr.  Kogan  agree  that  they  will  not  collect,  access,  disclose,  or  share  data 
collected  by  GSR  or  Dr.  Kogan  from  Facebook  users  (other  than  via  the  personal 
Facebook  profiles  of  Dr.  Kogan  or  any  GSR  members  or  the  GSR  business  Facebook 
page)  for  any  purpose,  including  but  not  limited  to  academic  research,  without  first 
obtaining  written  permission  from  Facebook.  All  research  papers  that  have  been 
submitted  to  Facebook  for  review  and  approval  and  which  list  Dr.  Kogan  as  a 
contributing  author  shall  be  returned  to  the  authors  without  a  determination  by  Facebook 
of  permissible  use,  if  any.  Any  paper  that  contains  co-authors  may  be  resubmitted  for 
review  by  the  co-authors  after  consultation  with  Facebook’ s  research  management  team. 

D.  Confidentiality 

1.  This  Settlement  Agreement,  including  all  discussions  leading  to 
this  Settlement  Agreement  and  all  of  its  terms  and  conditions,  shall  be  held  in  strict 
confidence  by  the  Parties.  Neither  Party  shall  disclose,  directly  or  indirectly,  the 
negotiations  or  tenns  and  conditions  of  this  Settlement  Agreement  without  the  other 
party’s  express  written  consent  except  a)  as  required  for  GSR  and  Dr.  Kogan  to  meet 
their  obligations  hereunder  respecting  communications  with  third  parties,  b)  to  disclose 
that  GSR,  Dr.  Kogan  and  the  parties  returning  Certifications  have  deleted  App  Data,  and 
c)  to  attorneys,  agents,  and  advisors  under  confidentiality  obligations. 

2.  Facebook  shall  not  disclose,  directly  or  indirectly,  the  negotiations 
or  terms  and  conditions  of  this  Settlement  Agreement,  but  may  use  and  disclose 
infonnation  contained  in  any  Certification  provided  to  Facebook  or  information  regarding 
persons  that  had  access  to  App  Data,  if  Facebook  does  not  receive  a  Certification  from 
the  person  or  it  becomes  aware  that  the  infonnation  provided  is  incomplete  or  inaccurate. 
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Information  provided  to  Facebook  on  an  “attorneys  eyes  only  -  outside  counsel”  basis 
may  be  disclosed  to  Facebook,  if  the  entity  does  not  provide  Facebook’s  counsel  a 
completed  Certification.  Facebook,  GSR  and  Dr.  Kogan  may  also  disclose  this  Settlement 
Agreement  and  all  information  disclosed  as  part  of  this  Settlement  Agreement  in  the 
event  of  a  breach  of  the  Settlement  Agreement  and  to  the  extent  legally  required  in 
response  to  a  subpoena  or  other  legal  process. 

E.  Costs  and  Attorney  Fees 

Each  Party  to  this  agreement  shall  be  responsible  for  its  own  attorney's  fees  and 
costs  incurred  in  the  Matter. 

III.  DAMAGES,  INDEMNIFICATION  AND  REMEDIES 

A.  The  Parties  acknowledge  that  it  would  be  difficult  to  measure  accurately 
the  damages  from  any  breach  of  the  terms,  conditions,  covenants,  restrictions, 
representations,  and  warranties  set  forth  herein,  and  that  the  injury  from  any  such  breach 
would  be  difficult  to  calculate. 


B.  The  Parties  therefore  agree  that  if  GSR  or  Dr.  Kogan  materially  breaches 
any  of  provisions  in  Section  II,  TERMS,  and  such  breach  is  not  cured  within  thirty  (30) 
days  following  notice  from  Facebook,  then  Facebook  may,  in  its  sole  discretion,  elect  to 
recover  actual  or  statutory  damages,  or  liquidated  damages  in  the  amount  of  U.S. 
$25,000  from  the  breaching  Party.  The  Parties  agree  that  the  liquidated  damages 
identified  in  this  paragraph  constitute  compensation  and  shall  not  be  considered  a 
penalty. 

C.  If  Facebook  establishes  a  breach  by  the  other  Party  of  this  Settlement 
Agreement  or  any  of  the  covenants  and  restrictions  set  forth  herein,  then  Facebook  shall 
be  entitled  as  a  matter  of  right  to  obtain  from  any  court  of  competent  jurisdiction  an 
injunction,  without  the  necessity  of  posting  any  bond  or  other  security,  prohibiting  GSR 
and  Dr.  Kogan  from  any  further  breaches  of  this  Settlement  Agreement. 

D.  Facebook  shall  be  entitled  to  recover  reasonable  attorneys’  fees  and  costs 
incurred  in  enforcing  its  rights  under  Section  C. 

IV.  Mutual  Releases 

A.  Facebook,  and  its  agents,  partners,  representatives,  heirs,  successors, 
predecessors,  and  assigns,  and  each  of  them,  release  and  forever  discharge  GSR  and  Dr. 
Kogan,  and  its  and  their  agents,  partners,  representatives,  heirs,  successors,  predecessors, 
and  assigns  and  attorneys,  and  any  entity  in  which  GSR  or  Dr.  Kogan  has  an  ownership 
interest  that  was  disclosed  in  accordance  with  Section  II.A.l,  from  any  and  all  claims, 
demands,  damages,  liabilities,  suits,  actions,  and  causes  of  action  whatsoever,  whether 
known  or  unknown,  arising  from  or  related  in  any  way  to  the  Matter,  the  App  Data,  or  the 
GSR  App,  except  for  the  rights  and  obligations  created  in  and  by  this  Agreement. 
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B.  GSR  and  Dr.  Kogan,  and  its  and  their  agents,  partners,  representatives, 
heirs,  successors,  predecessors,  and  assigns,  and  each  of  them,  release  and  forever 
discharge  Facebook,  and  its  agents,  partners,  representatives,  heirs,  successors, 
predecessors,  assigns  and  attorneys  from  any  and  all  claims,  demands,  damages, 
liabilities,  suits,  actions,  and  causes  of  action  whatsoever,  whether  known  or  unknown, 
arising  from  or  related  in  any  way  to  the  Matter,  the  App  Data,  or  the  GSR  App,  except 
for  the  rights  and  obligations  created  in  and  by  this  Agreement. 

C.  Except  as  provided  in  Section  II. B  (Facebook  warranties),  nothing  in  this 
Agreement  or  any  statement  or  action  by  any  Party  in  connection  with  this  Agreement 
shall  be  deemed  to  constitute  a  release  or  waiver  of  the  claims  of  either  Party,  to  the 
extent  they  may  exist,  against  any  third  party. 

D.  Each  Party  knowingly  and  intentionally  waives  any  protection  afforded  to 
them  by  California  Civil  Code  §1542,  which  provides: 

A  GENERAL  RELEASE  DOES  NOT  EXTEND  TO  CLAIMS  WHICH  THE 

CREDITOR  DOES  NOT  KNOW  OR  SUSPECT  TO  EXIST  IN  HIS  OR 

HER  FAVOR  AT  THE  TIME  OF  EXECUTING  THE  RELEASE,  WHICH 

IF  KNOWN  BY  HIM  OR  HER  MUST  HAVE  MATERIALLY  AFFECTED 

HIS  OR  HER  SETTLEMENT  WITH  THE  DEBTOR. 

Each  Party  further  knowingly  and  intentionally  waives  any  protection  under  any  state 
counterpart  to  California  Civil  Code  §1542.  Each  Party  agrees  that  this  Agreement  is 
intended  to  cover  all  claims  or  possible  claims  arising  out  of  or  related  to  those  matters 
referenced  or  impliedly  covered  in  the  general  release  referenced  above,  whether  the 
same  are  known,  unknown  or  hereafter  discovered  or  ascertained,  and  the  provisions  of 
§1542  of  the  California  Civil  Code  and  any  similar  laws  in  other  jurisdictions  are  hereby 
expressly  waived.  The  Parties  hereto  expressly  acknowledge  that  they  have  been  advised 
by  their  counsel  of  the  contents  and  effect  of  such  provisions,  and  with  such  knowledge 
they  hereby  expressly  waive  whatever  benefits  they  may  have  pursuant  to  such 
provisions. 

V.  MISCELLANEOUS 

A.  Applicable  Law  -  This  Agreement  shall  be  governed  by  and  construed, 
applied,  and  interpreted  under  the  laws  of  the  state  of  California.  Any  dispute  arising 
hereunder  shall  be  brought  in  state  or  federal  court  encompassing  San  Mateo  County, 
California,  to  which  GSR  and  Dr.  Kogan  hereby  consent  to  personal  jurisdiction  for 
purposes  of  any  dispute  brought  under  this  Agreement. 

B.  Complete  Agreement  -  The  Parties  understand  and  acknowledge  that  this 
Settlement  Agreement  encompasses  their  entire  understanding  with  respect  to  the 
settlement  of  claims  and  potential  claims  between  them  that  relate  to  or  arise  from  the 
Matter.  No  other  oral  or  written  understandings  impact,  modify,  or  supersede  the 
Settlement  Agreement.  The  terms  of  this  Agreement  may  be  modified  in  the  future  only 
by  a  written  agreement  signed  by  both  Parties. 
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C.  No  Inducement  /  Consultation  with  Counsel  -  Each  of  the  Parties  to  this 
Agreement  represent  and  agree  that  no  promise,  inducement,  or  agreement  not  herein 
expressed  has  been  made  regarding  the  Agreement;  that  in  executing  this  Agreement, 
they  have  consulted  with  and/or  had  the  opportunity  to  consult  with  their  attorneys,  that 
they  have  executed  this  Agreement  freely  and  voluntarily,  with  full  knowledge  of  all 
material  facts  after  independent  investigation,  and  without  fraud,  duress,  or  undue 
influence  of  any  kind  or  nature  whatsoever;  and  that  they  have  read  the  Agreement  and 
fully  understand  each  and  every  provision  contained  therein.  Each  of  the  Parties  has 
obtained  or  has  had  the  opportunity  to  obtain  the  advice  of  independent  legal  counsel  of 
their  choice  to  assure  themselves  that  the  terms  and  conditions  of  the  Agreement  are  fair, 
just  and  equitable,  and  consistent  with  applicable  law. 

D.  Counterparts  and  Signature  -  This  Agreement  may  be  executed  in  two 
or  more  counterparts,  each  of  which  shall  be  deemed  an  original  and  all  of  which  together 
shall  constitute  one  and  the  same  instrument.  Facsimile  or  electronic  copies  of  this 
Agreement,  including  execution  signatures,  may  serve  as  originals.  This  Agreement  may 
be  executed  and  delivered  by  each  party  to  the  other  party  via  e-mail  or  facsimile 
transmission,  with  such  execution  and  delivery  having  the  same  legal  force  and  effect  as 
if  the  original  hereto  had  been  executed  and  delivered. 

E.  Severability;  Unenforceability  -  In  the  event  that  any  tenn,  clause,  or 
provisions  of  this  Agreement  shall  be  construed  to  be  or  adjudged  invalid,  void,  or 
unenforceable,  such  tenn,  clause,  or  provision  shall  be  construed  as  severed  from  this 
Agreement  and  the  remaining  terms,  clauses,  and  provisions  shall  remain  in  effect. 

F.  Waiver  -  The  waiver  by  any  Party  of  a  breach  or  default  of  any  provision 
of  this  Agreement  or  any  right  hereunder  shall  not  constitute  a  waiver  by  such  party  of 
any  succeeding  breach  of  the  same  or  other  provision;  nor  shall  any  delay  or  omission  on 
the  part  of  either  party  to  exercise  or  avail  itself  of  any  right,  power,  or  privilege  operate 
as  a  waiver  of  any  such  right,  power,  or  privilege  by  such  Party. 

G.  Binding  on  Successors  and  Assigns  -  This  Agreement  shall  inure  to  the 
benefit  of,  and  be  binding  upon,  the  Parties’  respective  heirs,  successors,  and  assigns. 

EXECUTED  as  of  the  date  first  written  above  by  each  Party  with  the  intent  to  be 
legally  bound  hereby. 


FACEBOOK,  INC. 


GLOBAL  SCIENCE  RESEARCH  LTD. 


By: 

Its: 


By: 

Its: 


CEO,  Director 


DR.  ALEKSANDR  KOGAN 
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EXHIBIT  A1 


CERTIFICATION 

Global  Science  Research  Ltd. 

I,  Aleksandr  Kogan _ ,  on  behalf  of  Global  Science  Research  Ltd.  (“GSR”  or 

“Recipient”)  certifies  that  all  Facebook  data  gathered  by  GSR  from  the 
“thisisyourdigitallife”  Facebook  Application  (App  ID:  599050663475 147),  including  but 
not  limited  to  Facebook  user  data  and  Facebook  user  friend  data  and  data  derived  from 
such  Facebook  user  data  and  Facebook  user  friend  data  (“App  Data”)  has  been  accounted 
for  and  pennanently  deleted  and  destroyed  from  both  active  and  redundant  storage  that  is 
under  GSR’s  direct  or  influential  control. 

1 .  The  following  is  a  complete  list  of  applications,  scripts,  scrapers,  or  other 
methodologies  used  by  GSR  or  any  entity  in  which  GSR  has  an  ownership  interest  to 
collect  Facebook  user  information  (“Facebook  Applications”): 

“thisisyourdigitallife”  Facebook  Application  (App  ID:  599050663475147)  operated  by 
Dr.  Kogan  and  then  Global  Science  Research  Ltd.  (“GSR”).  The  app  consisted  of  server 
side  scripts  (written  mostly  in  C#  and  VB.net,  running  on  an  ASP.net  platform)  and  a 
front-end  webpage  +  script  (html,  javascript).  The  app  under  GSR  collected  and  stored 
the  following  data  on  users  who  authorized  the  app  on  GSR  servers:  Name,  gender, 
location,  birthdate,  page  likes,  friends  list,  each  friend’s  name,  each  friend’s  gender,  each 
friend’s  location,  each  friend’s  birthdate,  each  friend’s  page  likes  (from  friends  whose 
privacy  settings  permitted  users  to  share  this  data  through  the  app). 

Philometrics  corporate  Facebook  page  -  https://www.facebook.com/philometrics/7frefAs. 
Neither  GSR  nor  Philometrics  actively  stores  nor  uses  the  data  that  exists  on  the 
corporate  page.  However,  Philometrics  receives  notifications  in  both  email  form  and  on 
the  Facebook  page  of  certain  events  on  the  page,  such  as  people  viewing  the  page  or 
people  liking  the  page.  Thus,  data  may  be  defined  as  “collected”  in  emails  or  Facebook 
accounts.  This  Philometrics  Facebook  corporate  page  does  not  (and  did  not)  collect  any 
data  from  the  “thisisyourdigitallife”  app. 

All  GSR  members  have  their  own  private  Facebook  profiles.  Through  these  profiles,  they 
(and  anyone  else  with  a  Facebook  profile)  can  access  a  wide  variety  of  content  on  other 
users.  The  profile  may  automatically  generate  email  communications  to  the  GSR 
member,  and  as  a  result  GSR  members  have  in  their  email  accounts  many  emails  from 
Facebook  respecting  actions  by  their  Facebook  friends. 

GSR  has  access  to  various  public  aggregated  Facebook  information  freely  available  from 
online  sources.  For  example,  aggregate  estimated  data  on  number  of  users  on  Facebook 
can  be  found  here:  http://www.statista.com/statistics/268136/top-15-countries-based-on- 
number-of-facebook-users/ 
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GSR  also  advertised  using  the  Facebook  advertising  platform.  As  part  of  each  advertising 
campaign,  Facebook  provided  all  of  the  information  that  normally  appears  in  the 
advertising  console  when  running  a  campaign.  GSR  did  not  use  this  data  for  any  purpose 
other  than  to  monitor  how  the  ad  campaign  was  doing. 

2.  The  following  is  a  complete  description  of  the  collection  of  Facebook  user  information 
obtained  by  GSR  from  the  Facebook  Applications: 

GSR  collected  and  stored  the  following  App  Data:  name,  gender,  birthdate, 
location,  and  page  likes  of  (a)  users  who  authorized  the  “thisisyourdigitallife”  app 
and  (b)  their  friends  (whose  privacy  settings  pennitted  users  to  share  this  data 
with  GSR  through  the  app). 

3.  The  following  is  a  complete  description  of  data  derived  by  GSR  from  such  Facebook  user 
infonnation: 

a)  predicted  survey  responses  to  a  wide  variety  of  demographic  and  psychological 
surveys; 

b)  average  survey  scores,  grouped  by  page  like,  demographic  groups,  and  geographic 
groups; 

b)  derived  dimensional  scores  summarizing  information  captured  in  the  “likes”;  and 

c)  a  co-occurrence  matrix  of  likes. 

4.  GSR  used  the  App  Data  for  the  following  purposes: 

Providing  modeled  data  to  certain  third  parties  listed  in  Section  6  below. 

Providing  SCL  Elections  Limited  (“SCL”)  with  data  for  predicted  survey  results. 

Shared  the  raw  Facebook  data  with  Eunoia  Technology  (“Eunoia”). 

Provided  Dr  Kogan’s  lab  with  all  of  the  raw  data.  As  set  forth  in  Dr.  Kogan’s 
Certificate  Exhibit  A2,  this  data  was  stored  on  Dr  Kogan’s  servers  and  was  not 
further  shared  with  anyone  else  except  in  extreme  summary  form  (e.g. 
presentation  of  results  at  conferences). 

5.  GSR  received  payments  totaling  approximately  750,000  GBP  from  a  single  entity 
as  a  result  of  use  and/or  disclosure  of  App  Data.  GSR  did  not  receive  any  payments  from 
any  other  entities  in  relation  to  the  App  Data.  All  of  the  payments  received  by  GSR  were 
used  to  operate  GSR.  None  of  the  payments  received  by  GSR  remain  as  reflected  by  the 
financial  statement  that  GSR  will  provide  to  Facebook  upon  filing  in  June  2016. 

6.  During  the  period  in  which  GSR  had  access  to  App  Data,  GSR  provided  the 
following  third  parties  (in  addition  to  Dr.  Kogan  and  his  lab)  with  access  to  or  some  or  all 
App  Data: 
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Name 

Contact  Infonnation 

Number  of  unique 
Facebook  Profiles 
Involved,  and  Specific 
Data  Points  Shared 

SCL 

Approximately  30  million 
people.  Shared  forecasted 
survey  responses  (derived 
from  page  likes)  and  some 
limited  profile  data  (such 
as  name,  location, 
birthday,  and  whether  an 
individual  had  liked  any  of 
a  limited  list  of  specific 
Facebook  pages) 

Eunoia 

Approximately  30 
million  people. 

Where  available, 
for  each  person 
shared  name, 
location,  birthday, 
and  page  likes 

Dan  Randles 

Received 
forecasted  survey 
responses  for 
approximately 

130,000  people. 

These  forecast  were 
derived  from  the 
page  likes  of 

130,000  people 
who  authorized  the 
thisisyourdigitallife 
app.  Location  and 
birth  year  were 
included,  but  no 
name  was  included 
to  ensure 
anonymity  of 
persons. 
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GSR  did  not  provide  access  to,  share,  or  disclose  App  Data  with  any  other  entity,  and  in 
particular  did  not  provide  access  to,  share  or  disclose  App  Data  to  Philometrics  Inc., 
which  has  a  shared  ownership  with  GSR. 

GSR  certifies  that  GSR  has  provided  a  copy  of  this  Certification  to  the  last  address 
known  to  GSR  for  each  and  every  third  party  listed  in  the  table  in  paragraph  6 
above  and  asked  them  to  provide  a  completed  Certification  in  the  form  set  forth  in 
Exhibit  B  to  GSR. 


GLOBAL  SCIENCE  RESEARCH  LTD. 

Name  of  Person  or  Entity  (Please  Print) 

06/11/2016 

By  Date 

CEO,  Director 

Title  (if  on  behalf  of  an  organization) 


130248750.4 


EXHIBIT  A2 


CERTIFICATION 

Dr.  Aleksandr  Kogan 

I,  Dr.  Aleksandr  Kogan,  personally  (“Dr.  Kogan”  or  “Recipient”)  certify  that  all 
Facebook  data  Dr.  Kogan  gathered  from  the  “thisisyourdigitallife”  Facebook  Application 
(App  ID:  599050663475 147),  including  but  not  limited  to  Facebook  user  data  and 
Facebook  user  friend  data  and  data  derived  from  such  Facebook  user  data  and  Facebook 
user  friend  data  (“App  Data”)  has  been  accounted  for  and  permanently  deleted  and 
destroyed  from  both  active  and  redundant  storage  that  is  under  Recipient’s  direct  or 
influential  control. 

1 .  In  addition  to  the  response  by  GSR  described  in  the  Certification  by  GSR  (Exhibit 
Al),  to  which  Dr  Kogan  has  access  to  as  part  of  GSR,  the  following  is  a  complete  list  of 
applications,  scripts,  scrapers,  or  other  methodologies  used  by  Dr.  Kogan  or  any  entity  in 
which  Dr.  Kogan  has  an  ownership  interest  to  collect  Facebook  user  information 
(“Facebook  Applications”): 

“thisisyourdigitallife”  Facebook  Application  (App  ID:  599050663475 147)  operated  by 
Dr.  Kogan  and  then  Global  Science  Research  Ltd.  (“GSR”).  The  app  consisted  of  server 
side  scripts  (written  mostly  in  C#  and  VB.net,  running  on  an  ASP.net  platform)  and  a 
front-end  webpage  +  script  (html,  javascript).  While  operated  by  Dr.  Kogan  (prior  to 
GSR’s  existence),  the  app  collected  the  following  data  on  users  who  authorized  the  app 
and  was  stored  on  Dr.  Kogan’s  lab  server:  Name,  gender,  location,  birthdate,  page  likes, 
friends  list,  each  friend’s  name,  each  friend’s  gender,  each  friend’s  location,  each  friend’s 
birthdate,  each  friend’s  page  likes  (from  friends  whose  privacy  settings  permitted  users  to 
share  this  data  through  the  app),  some  wall  posts  and  some  private  messages.  While 
under  Dr.  Kogan’s  private  operation  (and  data  stored  on  his  lab’s  server),  the  data  was 
used  exclusively  for  academic  purposes  by  his  lab. 

Dr  Kogan  has  his  own  private  Facebook  profile.  Through  this  profile,  Dr.  Kogan  (and 
anyone  else  with  a  Facebook  profile)  can  access  a  wide  variety  of  content  on  other  users. 
The  profile  automatically  generates  email  communications  to  Dr.  Kogan,  and  as  a  result 
Dr  Kogan  has  in  his  email  account  many  emails  from  Facebook  respecting  actions  by  his 
Facebook  friends. 

Dr  Kogan  has  access  to  various  public  aggregated  Facebook  information  freely 
available  from  online  sources.  For  example,  aggregate  estimated  data  on  number 
of  users  on  Facebook  can  be  found  here: 

http://www.statista.com/statistics/268136/top-15-countries-based-on-number-of- 

facebook-users/ 


Facebook  user  information  provided  to  Dr.  Kogan  by  Facebook.  In  particular,  Facebook 
has  provided  Dr.  Kogan  with  country  level  data  on  number  of  friendships  and  emoticons 
used  as  a  part  of  an  ongoing  research  relationship. 
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2.  In  addition  to  collection  by  GSR  described  in  the  Certification  by  GSR  (Exhibit  Al),  the 
following  is  a  complete  description  of  the  collection  of  Facebook  user  infonnation  obtained  from 
the  Facebook  Applications: 


Aggregated,  country  level  data  provided  directly  by  Facebook  for  academic  research 
papers  prepared  in  collaboration  with  the  Protect  and  Care  team  at  Facebook,  including 
the  following  papers: 

1)  Tracing  Cultural  Similarities  and  Differences  in  Emotional  Expression  through 
Digital  Records  of  Emotions. 

2)  Birds  of  a  Feather  Flock  Together  and  Opposites  Attract?  The  Relationship 
between  Cross-National  Value  Similarities  and  Online  Social  Networks. 

3)  Amount  and  Diversity  of  Digital  Emotional  Expression  on  Predicts  Life 
Satisfaction  Around  the  World. 

4)  Happiness  Predicts  Larger  Online  Social  Networks  for  Nations  and  Individuals 
Low,  but  not  High,  in  Consumeristic  Attitudes  and  Behaviors. 

5)  Silk  Road  to  Friendships:  Economic  Cooperation  is  Associated  with 
International  Friendships  around  the  World. 

6)  International  friendships  predict  government  aid  after  natural  disasters 

7)  Emotional  Expression  Follow  Different  Life  Course  Trajectories  for  Rich 
versus  Poor  Nations 

8)  Big  Data  Public  Health:  Online  Friendships  can  Identify  Populations  At-Risk 
of  Physical  Health  Problems  and  All-Causes  Morbidity. 

Dr  Kogan  also  has  one  paper  entitled  “Donations  Predict  Social  Capital  Gains  for  Low 
SES,  But  Not  High  SES  Individuals  and  Countries”  which  was  prepared  with  a  graduate 
student  in  his  lab,  other  academic  collaborators,  and  members  (current  and  former)  of  the 
Protect  and  Care  team  at  Facebook  that  contains  data  collected  from  the 
“thisisyourdigitallife”  app.  In  particular,  this  paper  calculates  number  of  friends  per 
consenting  user.  This  data  was  used  exclusively  for  academic  purposes.  The  paper  has 
previously  been  reviewed  and  approved  by  Facebook’s  internal  review  team. 

In  addition  to  all  of  the  App  Data  collected  from  “thisisyourdigitallife”  by  GSR,  Dr 
Kogan  also  has  a  dataset  collected  by  his  lab  using  the  app  before  GSR  existed.  The  data 
includes  up  to  several  million  people — which  was  the  result  of  several  thousand 
participants  partaking  in  the  study  and  data  from  their  friends  being  collected  as  well.  The 
data  on  these  users  that  Dr.  Kogan’s  lab  holds  are  as  follows:  names,  gender,  birthdate, 
location,  and  page  likes.  In  addition,  for  people  who  participated  in  the  study  and 
provided  consent,  Dr  Kogan  has  limited  wall  post  and  private  message  data. 
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3.  In  addition  to  the  description  by  GSR  described  in  the  Certification  by  GSR  (Exhibit  Al),  the 
following  is  a  complete  description  of  data  derived  by  Dr.  Kogan  from  Facebook  user 
infonnation: 

From  the  “thisisyourdigitallife”  app: 

(a)  predicted  survey  responses  to  a  wide  variety  of  demographic  and 
psychological  surveys 

(b)  average  survey  scores,  grouped  by  page  like,  demographic  groups,  and 
geographic  groups; 

(c)  derived  dimensional  scores  summarizing  information  captured  in  the  “likes”; 
and 

(d)  a  co-occurrence  matrix  of  likes. 

From  Facebook  user  information  provided  to  Dr.  Kogan  by  Facebook: 

(a)  Number  of  friendships  created  between  each  country  pair,  monthly 

(b)  Ratio  of  domestic  to  international  friendships  within  a  country 

(c)  Number  of  emoticons  used  per  capita  and  per  person  in  each  country 

(d)  Number  of  emoticons  used  per  capita  and  per  person  by  various  age  groups  in 
each  country 

(e)  Other  summaries  of  the  aggregated  friendship  and  emoticon  usage  data 

4.  In  addition  to  use  by  GSR  described  in  the  Certification  by  GSR  (Exhibit  Al),  Dr. 

Kogan  used  the  App  Data  for  the  following  purposes: 

At  the  University  of  Cambridge  Prosociality  and  Well-being  Faboratory: 

Number  of  unique  Facebook  Profiles  Involved,  and  Specific  Data  Points 
Shared:  Profiles  for  approximately  50  million  people.  Where  available, 
each  person  shared  name,  location,  birthday,  and  page  likes. 

The  App  Data  was  used  by  Dr.  Kogan  and  his  research  team  to  prepare  a 
variety  of  manuscripts  on  social  psychological  and  methodological 
questions.  None  of  the  manuscripts  were  ever  submitted  for  publication. 

A  single  paper  using  the  App  Data  was  submitted  for  review,  which  was 
reviewed  by  several  reviewers.  The  paper  has  been  retracted  before  any 
publication.  The  paper  presented  summary  statistical  data,  but  never  any 
individual  records. 

Dr  Kogan  has  also  presented  at  various  academic  conferences  and 
university  talks  results  from  the  App  Data.  In  these  talks,  Dr  Kogan 
presented  summary  findings  from  the  data,  but  never  any  individual 
records.  None  of  the  manuscripts  were  ever  submitted  for  publication. 
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5.  The  sole  payments  Dr.  Kogan  received  that  were  related  to  App  Data  were 
expense  reimbursements.  Dr.  Kogan  received  no  salary,  distributions  or  dividends 
related  to  App  Data. 

6.  In  addition  to  the  sharing  by  GSR  described  in  the  Certification  by  GSR  (Exhibit 
Al),  during  the  period  in  which  Dr.  Kogan  had  access  to  App  Data,  members  of  Dr. 
Kogan’s  research  group  had  access  to  some  of  the  data  on  the  lab  servers  for  analyses. 
However,  data  copying  or  moving  off  the  servers  was  prohibited,  and  to  the  best  of  Dr. 
Kogan’s  knowledge,  never  occurred. 

Dr.  Kogan  did  not  provide  access  to,  share,  or  disclose  App  Data  with  any  entity  other 
than  those  identified  in  Exhibit  Al,  including  without  limitation  Philometrics  Inc.,  in 
which  Dr.  Kogan  had  or  has  an  ownership  interest. 


DR.  ALEKSANDR  KOGAN 


Name  of  Person  or  Entity  (Please  Print) 


06/11/2016 


Date 
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EXHIBIT  B 


CERTIFICATION 

I, _ ,  personally  if  acting  in  an  individual  capacity, 

or  on  behalf  of _ ,  if  acting  on  behalf  of  an 

organization  or  entity,  (“Recipient”)  certify  that  all  Facebook  data  gathered  by  the 
“thisisyourdigitallife”  Facebook  Application  (App  ID:  599050663475147),  received  from 
or  on  behalf  of  Global  Science  Research  Ltd.  (“GSR”)  or  Dr.  Aleksandr  Kogan  (“Dr. 
Kogan”),  including  but  not  limited  to  Facebook  user  data  and  Facebook  user  friend  data 
and  data  derived  from  such  Facebook  user  data  and  Facebook  user  friend  data  (“App 
Data”)  has  been  accounted  for  and  permanently  deleted  and  destroyed  from  both  active 
and  redundant  storage  that  is  under  my  direct  or  influential  control. 

1 .  The  Recipient  used  this  infonnation  for  the  following  purposes: 


2.  The  Recipient  received _ in  revenue  as  a  result  of  its  use  and/or 

disclosure  of  App  Data.  The  Company  will  disgorge  the  amount  listed  above  to 
Facebook,  Inc.  upon  request. 

3.  During  the  period  in  which  the  Recipient  had  access  to  App  Data,  the  following 
third  parties  had  access  to  or  where  provided  with  some  or  all  App  Data: 


Name 

Contact  Information 

Number  of  unique  Facebook 

Profiles  Involved,  and  Specific 

Data  Points  Shared 

4.  In  consideration  for  the  Recipient’s  complete  and  accurate  execution  of  this 
Certification,  upon  receipt  of  a  such  this  Certification,  Facebook  and  its  agents,  partners, 


130248750.4 


representatives,  heirs,  successors,  predecessors,  and  assigns  and  each  of  them  release  and 
forever  discharge  the  Recipient  from  any  and  all  claims,  demands,  damages,  liabilities, 
suits,  actions,  and  causes  of  action,  related  in  any  way  to  the  Recipient’s  use  and 
disclosure  of  App  Data  disclosed  in  paragraphs  1  and  3.  This  release  shall  be  void  if  the 
infonnation  provided  in  this  Certification  is  not  complete  or  accurate. 

I  certify  that  I  have  provided  a  copy  of  this  Certification  to  each  and  every  third 
party  listed  in  the  table  in  paragraph  3  above  and  asked  them  to  provide  a 
completed  Certification  to  me.  Upon  receipt,  I  will  promptly  forward  the 
certification  to  GSR  at _ . 


Name  of  Person  or  Entity  (Please  Print) 


By 


Date 


Title  (if  on  behalf  of  an  organization) 


FACEBOOK,  INC. 


By: 

Its: 


130248750.4 


EXHIBIT  B 


CERTIFICATION 

I, _ Dr.  Michael  Inzlicht _ ?  personally  if  acting  in  an  individual  capacity, 

or  on  behalf  of  Toronto  Laboratory  for  Social  Neuroscience _ ,  if  acting  On  behalf  of  an 

organization  or  entity,  (“Recipient”)  certify  that  all  Facebook  data  gathered  by  the 
“thisisyourdigitallife”  Facebook  Application  (App  ID:  599050663475147),  received  from 
or  on  behalf  of  Global  Science  Research  Ltd.  (“GSR”)  or  Dr.  Aleksandr  Kogan  (“Dr. 
Kogan”),  including  but  not  limited  to  Facebook  user  data  and  Facebook  user  friend  data 
and  data  derived  from  such  Facebook  user  data  and  Facebook  user  friend  data  (“App 
Data”)  has  been  accounted  for  and  permanently  deleted  and  destroyed  from  both  active 
and  redundant  storage  that  is  under  my  direct  or  influential  control. 

1 .  The  Recipient  used  this  information  for  the  following  purposes: 

Academic  research 


2.  The  Recipient  received  _ in  revenue  as  a  result  of  its  use  and/or 

disclosure  of  App  Data.  The  Company  will  disgorge  the  amount  listed  above  to 
Facebook,  Inc.  upon  request. 

3.  During  the  period  in  which  the  Recipient  had  access  to  App  Data,  the  following 
third  parties  had  access  to  or  where  provided  with  some  or  all  App  Data: 


Name 

Contact  Information 

Number  of  unique  Facebook 

Profiles  Involved,  and  Specific 

Data  Points  Shared 

None 

4.  In  consideration  for  the  Recipient’s  complete  and  accurate  execution  of  this 
Certification,  upon  receipt  of  a  such  this  Certification,  Facebook  and  its  agents,  partners, 


130248750.4 


representatives,  heirs,  successors,  predecessors,  and  assigns  and  each  of  them  release  and 
forever  discharge  the  Recipient  from  any  and  all  claims,  demands,  damages,  liabilities, 
suits,  actions,  and  causes  of  action,  related  in  any  way  to  the  Recipient’s  use  and 
disclosure  of  App  Data  disclosed  in  paragraphs  1  and  3.  This  release  shall  be  void  if  the 
information  provided  in  this  Certification  is  not  complete  or  accurate. 

I  certify  that  I  have  provided  a  copy  of  this  Certification  to  each  and  every  third 
party  listed  in  the  table  in  paragraph  3  above  and  asked  them  to  provide  a 
completed  Certification  to  me.  Upon  receipt,  I  will  promptly  forward  the 
certification  to  GSR  at  The  Lexicon  10-12,  Mount  Street,  Manchester, 

Lancashire  M2  5NT  or  via  email  attachment  to 
info@globalscienceresearch.com. 


Dr.  Michael  Inzlicht 


Name  of  Person  or  Entity  (Please  Print) 


July  7  201 6 


By 


Date 


Title  (if  on  behalf  of  an  organization) 


FACEBOOK,  INC. 


By: 


Its: 


130248750.4 


CERTIFICATION 


I,  Alexander  Nix,  on  behalf  of  SCL  Elections  Limited  (“SCL”),  certify  that  all  Facebook 
data  gathered  by  the  “thisisyourdigitallife”  Facebook  Application  (App  ID: 
599050663475147),  received  from  or  on  behalf  of  Global  Science  Research  Ltd.  (“GSR”) 
or  Dr.  Aleksandr  Kogan  (“Dr.  Kogan”),  including  but  not  limited  to  Facebook  user  data 
and  Facebook  user  friend  data  and  data  derived  from  such  Facebook  user  data  and 
Facebook  user  friend  data  (“App  Data”)  has  been  accounted  for  and  permanently  deleted 
and  destroyed  from  both  active  and  redundant  storage  that  is  under  my  direct  or 
influential  control. 


1 .  The  Recipient  used  this  information  for  the  following  purposes: 

To  train  a  model  to  predict  personality  using  commercially  available  demographic, 
consumer  and  lifestyle  data.  In  out-of-sample  testing,  it  was  found  that  this  model  was 
statistically  only  slightly  more  accurate  than  random,  and  the  approach  was  abandoned. 
After  Facebook  contacted  SCL  in  December  2015  we  deleted  all  data  we  received  from 
Dr  Kogan.  This  includes  dropping  all  database  tables,  and  deleting  the  raw  data  (stored  as 
csv)  from  our  encrypted  fileserver. 

2.  During  the  period  in  which  the  Recipient  had  access  to  App  Data,  the  following  third 
parties  had  access  to  or  where  provided  with  some  or  all  App  Data: 

No  third  parties  had  access  to  the  App  Data  at  any  time. 

This  certificate  is  provided  in  order  to  assist  Facebook  with  its  investigations  into 
the  use  of  the  App  Data  and  the  information  contained  herein  is  true  to  the  best  of 
my  knowledge,  information  and  belief  but  this  certificate  is  provided  without 
liability  or  prejudice  to  me  personally  or  to  SCL  and  cannot  be  relied  upon  to  found 
any  action  against  SCL  or  any  related  person  or  entity. 


Ales 

For  and  on  behalf  of  SCL  Elections  Limited 


EXHIBIT  B 


CERTIFICATION 

^F&STBf'MsC  6‘JV'f£"'^  , -personally  if  acting  in  un-individual  eapaehyr 

erron  behalf  of  _ ,  if  acting  on  behalf  of  an 

organization  or  entity,  (“Recipient”)  certify  that  all  Facebook  data  gathered  by  the 
“thisisyourdigitallife”  Facebook  Application  (App  ID:  599050663475147),  received  from 
or  on  behalf  of  Global  Science  Research  Ltd.  (“GSR”)  or  Dr.  Aleksandr  Kogan  (“Dr. 
Kogan”),  including  but  not  limited  to  Facebook  user  data  and  Facebook  user  friend  data 
and  data  derived  from  such  Facebook  user  data  and  Facebook  user  friend  data  (“App 
Data”)  has  been  accounted  for  and  permanently  deleted  and  destroyed  from  both  active 
and  redundant  storage  that  is  under  my  direct  or  influential  control. 

1 .  The  Recipient  used  this  information  for  the  following  purposes: 

fJr»oe  OeuBreo  ,K>  _ 


2.  The  Recipient  received _ _ in  revenue  as  a  result  of  its  use  and/or 

disclosure  of  App  Data.  The  Company  will  disgorge  the  amount  listed  above  to 
Facebook,  Inc.  upon  request. 

3.  During  the  period  in  which  the  Recipient  had  access  to  App  Data,  the  following 
third  parties  had  access  to  or  where  provided  with  some  or  all  App  Data: 


4.  In  consideration  for  the  Recipient’s  complete  and  accurate  execution  of  this 
Certification,  upon  receipt  of  a  such  this  Certification,  Facebook  and  its  agents,  partners, 


130248750.4 


representatives,  heirs,  successors,  predecessors,  and  assigns  and  each  of  them  release  and 
forever  discharge  the  Recipient  from  any  and  all  claims,  demands,  damages,  liabilities, 
suits,  actions,  and  causes  of  action,  related  in  any  way  to  the  Recipient  s  use  and 
disclosure  of  App  Data  disclosed  in  paragraphs  1  and  3.  This  release  shall  be  void  if  the 
information  provided  in  this  Certification  is  not  complete  or  accurate. 

I  certify  that  I  have  provided  a  copy  of  this  Certification  to  each  and  every  third 
party  listed  in  the  table  in  paragraph  3  above  and  asked  them  to  provide  a 
completed  Certification  to  me.  Upon  receipt,  I  will  promptly  forward  the 
certification  to  GSR  at  _ _ _  _ ' 


£uk)oi a  TecsHfJouxjtef ,  tut- 1 
K  ""  "  ■  ity  (Please  Print) 


0ie.e*=TO  ^ 


Date 


Title  (if  on  behalf  of  an  organization) 


FACEBOOK,  INC. 


By: 


Its: 


130248750.4 


